Handy Documents Those Office 365 Service Descriptors

Microsoft has done a good job of publishing Service Descriptors for Office 365 here, http://www.microsoft.com/download/en/details.aspx?id=13602. These documents have become a valuable resource when I need concrete information about the various Office 365 services, settings, limits and configuration requirements whether I am doing pre-sales engineering or during a deployment.

One such instance came up recently that I neglected to check with the service descriptor and ended up in a longer than necessary problem. A client I worked with while at a previous employer began to have issues with new machines or new Outlook profiles connecting to Exchange Online. Since it worked fine initially during the pilot migrations I made the assumption that something had changed at the client site. My thinking was a firewall rule or internal DNS record was changed. What also led me to this is the fact that from my computer I could configure a new Outlook profile just fine to the clients Office 365 Exchange Online environment. So after testing and trying numerous troubleshooting exercises we were no closer to a solution.

I left my company and the client; another consultant took over the support and also struggled with the problem. Well on Friday I got word the problem was solved!

Seems the client had a GPO to turn off encryption between the Outlook client and Exchange on all Workstations in the environment.

Figure 1 – Encryption Setting in Outlook

The reason this was done was that in their on-premises environment they had Exchange 2007 centrally located but had numerous offices spread-out throughout the US. They also utilized WAN accelerators between these offices to minimize and optimize WAN traffic. With Outlook MAPI traffic being encrypted the WAN accelerators could not optimize the traffic, so they made a decision to turn off the encryption between the clients and Exchange servers. And with the initial pilot users able to talk to the Exchange servers they seemed to get the new Mailbox server settings to the cloud just fine. The problem arose when a new machine was deployed to a cloud mailbox user or when a cloud mailbox user attempted to create a new Outlook profile.

So here is where the Service Descriptors come in. If I would only have reviewed these first and then checked for the Encryption setting on the clients it would have saved time and we could have found and correct the GPO.

Information below is from the Office 365 Security and Service Continuity Description.Docx and the Microsoft Exchange Online for Enterprise Service Description.Docx

  • Transport layer security (TLS): The TLS encryption mechanism encrypts the connection between Exchange Online servers and client to help prevent spoofing and provide confidentiality for email messages in transit. TLS is also used for securing customers’ on-premises mail server traffic to Exchange Online during migration and coexistence scenarios.

    Exchange Online supports opportunistic TLS as well as forced TLS. For more information, see the Exchange Online Service Description.

  • Encryption between clients and Exchange Online: Client connections to Exchange Online use the SSL to enhance security:
    • Securing Microsoft Outlook®, Outlook Web App, Exchange ActiveSync®, and Exchange Web Services traffic using TCP port 443.

Securing POP3 and IMAP using TCP port 995.

So please learn from my mistake and ensure you utilize the Service Descriptors as a trusted source for assisting with all things Office 365!

Leave a Reply


We use cookies to ensure the best possible experience on our website. Detailed information on the use of cookies on this site is provided in our Privacy and Cookie Policy. Further instruction on how to disable our cookies can be found there.